Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


GrandAdmiralThrawn

Member
  • Content count

    14
  • Donations

    $0.00 
  • Joined

  • Last visited

Community Reputation

5 Neutral

1 Follower

About GrandAdmiralThrawn

Contact Methods

  • Website URL
    http://wp.xin.at
  • ICQ
    34461020

Profile Information

  • OS
    XP Pro x64
  • Country
  1. KernelEx for Win2000

    1.) Way I understand it, that's not something stunnel can do for you, as it requires one specific local socket for each server you want to connect to. This is especially problematic with HTTPS due to the branching nature of HTML. Say you set up an unencrypted listen socket localhost:4000 with stunnel, mapping that port to securewebserver.com:443. That would make your initial HTTP connection secure (http://localhost:4000, which would be redirected to securewebserver.com:443). However, your webbrowser now downloads HTML, which will have lots of <a href="someurl.com"> inside, plus JavaScript which does god knows what. Your stunnel is unaware of the contents of that HTML and your webbrowser is unaware that its initial connection was being tunneled. So your browser will just parse all those hyperlinks and try to open up connections to them directly, thus bypassing your stunnel. As you can see, this can never work for outbound connections of this kind. Plus there is no way to just "catch" all those connections and wrap them up in HTTPS - this would have to happen at the kernel level, inside the TCP/IP stack (I believe). I know of no such approach ever having been pursued. Either it's single connections to single servers that you can create a local listen socket for specifically in the stunnel configuration, like this... [SuperSecureServer] client = yes accept = 127.0.0.1:4000 connect = securewebserver.com:443 verifyChain = yes CAfile = ca-certs.pem checkHost = securewebserver.com OCSPaia = yes ...or stunnel is the wrong tool for the job. It's much more useful for securing servers rather than clients. I assume the software to use here would rather be a modern enough web proxy server, that accepts HTTP within the LAN, but attempts (secure) HTTPS to the outside world whenever possible. I'm not knowledgeable about proxy servers though. Plus, the user wouldn't really see when a connection is encrypted, like we do know with the "lock" icon etc., because the client would be talking to the proxy in plain HTTP. 2.) I'm sorry, but I'm not sure what that question means. You mean ca-certs.pem? @DanR20: Nice to know!
  2. KernelEx for Win2000

    I'm actually running his New Moon / Palemoon on XP x64 now. I thought he also released a K-Meleon/Goanna Build for Windows 2000 somewhere in his thread? Or maybe another user did, not sure anymore. I think it was roytam1 though. The current Basilisk should be based on UXP (a XUL fork) and on FF52. The former one was based on FF 55 and called "Moebius" I think. Anyhow, I don't think I'll ever get a KernelEx version that works on my German Windows 2000 boxes. In hindsight, I should've installed them with an English version, but I didn't think about the current scenario back then. I'm not too fond of "total system conversions" like this one anyway. I would find it more elegant to use application-specific DLL hacks, that redirect unsupported library calls to stub DLLs and the rest to the systems' DLLs. Something like what Oleg Ovcharenko did with his hack for the Stellaris / Europa Universalis games on XP. Or ScavengerSpb / KawaiiSara for the newer X-COM games. Reason being that such hacks don't affect the system as a whole, and thus cannot have any influence on other applications.. But there is no "universal" one anywhere to be seen, especially not for Win2000.
  3. My build of New Moon (temp. name) a.k.a. Pale Moon for XP

    I agree with that very statement a 100%! I wish more people would think exactly like that.
  4. KernelEx for Win2000

    Because it's German. BlackWingCat has released quite a few update packs, but never for any German version of Windows. Attempting to force the EN version onto it resulted in a major destruction of the system. btw., for now I have found a partial workaround. It won't cover all cases, but at least it does cover the listen ports! I just disabled all the native SSL listen ports and used stunnel to listen on them instead, using a modern version of OpenSSL and map them to local plain listen ports. Like map TLS port 443 to local port 80. Interestingly, stunnel in it's newest version still works on Windows 2000*. With that, you can set up TLS listen ports using the TLS v1.2 protocol and modern ciphers like AES256-GCM-SHA384. Together with a slightly hacked version of the le32 ACME client, I managed to make it use Let's Encrypt certificates in an automated fashion as well. The whole process is documented [here]. However, there is one case, that this cannot cover, and that's outbound connections. So I had to switch those to plain text. That's when say my local mail server tries to transfer mails via SMTP to remote servers / email inboxes. You can't filter that with stunnel arbitrarily. Somehow upgrading the CryptAPI / schannel would be the best solution after all... *Edit: I just found out, that OpenSSL 1.1.1 and stunnel 5.45 beta 6 don't compile/link properly for an NT 5.0 / Windows 2000 target. However, with some source code patches, I managed to make OpenSSL 1.1.1 Beta 1 work on Win2k even with TLS v1.3 enabled and stunnel 5.45b6 linked against it, cross-compiling on CentOS 6.9 Linux with mingw from EPEL. I will document that process later, after TLS v1.3 has been finalized and officially supported by stunnel.
  5. KernelEx for Win2000

    Hey, I would like to ask about an upgrade I'm in dire need of, but unfortunately the target machine is a German Windows 2000 Server. The component I'd like to upgrade is schannel, which I know is provided by exkernel, but installing the thing wrecks the target OS completely, destroying larger parts of the GUI, management console snapins and god knows what else. Is there a way to upgrade *just* schannel and its required libraries, so I can get more modern SSL/TLS ciphers and protocols? An optimal solution (for me) would be to do this on a per-application basis, not system-wide. My reason is, that one of my services is now failing as it's communicating with other servers on the web, which now tend to just drop insecure connections using old ciphers. If there is a way, please do tell! Thanks!
  6. POSReady 2009 updates ported to Windows XP SP3 ENU

    Ah, thank you very much. I guess the most relevant part would be this:
  7. POSReady 2009 updates ported to Windows XP SP3 ENU

    Umm, sorry for this maybe stupid question, but... What exactly does KB4074852 even do, or what is it supposed to fix? I can't find any actual information about that, no Technet article, no CVE numbers or anything.
  8. My build of New Moon (temp. name) a.k.a. Pale Moon for XP

    I just patched all the binaries I could find that require something > NT 5.2 (XP x64/Svr2003). Some of them target NT 6.0 (Vista), others 6.1 (7). The complete list is as follows: DLLs: gmp-clearkey\0.1\clearkey.dll, gmp-fake\1.0\fake.dll, gmp-fakeopenh264\1.0\fakeopenh264.dll, D3DCompiler_43.dll, d3dcompiler_47.dll, freebl3.dll, IA2Marshal.dll, lgpllibs.dll, libEGL.dll, libGLESv2.dll, mozavcodec.dll, mozavutil.dll, mozglue.dll, msvcp140.dll, nss3.dll, nssckbi.dll, nssdbm3.dll, qipcap64.dll, softokn3.dll, vccorlib140.dll, vcruntime140.dll, xul.dll EXEs: icecat.exe, plugin-container.exe, plugin-hang-ui.exe, xpcshell.exe After the binary patching, IceCat x64 doesn't throw any errors when launched on XP x64, but it does immediately terminate without showing any GUI. Guess it's not that easy.
  9. My build of New Moon (temp. name) a.k.a. Pale Moon for XP

    Even MSVC/MSVC++ 2017 can target XP and XP x64 if you choose to install support for that (platform toolset v141_xp)...
  10. My build of New Moon (temp. name) a.k.a. Pale Moon for XP

    It most likely is compatible with Server 2003, as it works on XP x64 (which shares its kernel version 5.2 and its APIs with Server 2003). That's what the 64-bit build is for anyway: XP x64 and Server 2003 x64, as there are no 64-bit NT 5.1 systems, that's all NT 5.2. Edit: I just tested the 32-bit and 64-bit versions of New Moon on Windows Server 2003 x64 Standard. Works fine, as expected.
  11. My build of New Moon (temp. name) a.k.a. Pale Moon for XP

    @dv_2, I have the exact same issue with OpenGL, but I haven't tried it with official Palemoon on Windows 7 or anything like that yet. As for the name, I believe New Moon to be a pretty nice name for a browser targeting a group officially dead operating systems. Kinda fitting. But that's just my own opinion.
  12. My build of New Moon (temp. name) a.k.a. Pale Moon for XP

    I find it fitting to have a different icon color for the New Moon fork instead of the original blue Pale Moon icon, and I don't dislike black. So that's a matter of individual tastes. Maybe you could also just assign the original icon to the palemoon.exe of the New Moon fork on your local machine(s). I've attached the icon group of the original Pale moon to this post (as an .ico file containing the blue icons in several resolutions). palemoon.ico Keep in mind, you can't assign it to the .exe directly. Create a desktop or task bar link to palemoon.exe, then right-click that and pick "properties". There you can assign a new icon for that link.
  13. My build of New Moon (temp. name) a.k.a. Pale Moon for XP

    You may attempt to force layer acceleration with New Moon. You need to set the property "layers.acceleration.force-enabled" to "true" on the about:config page. For me, I also had to set either "layers.prefer-d3d9" or "layers.prefer-opengl" to "true" for it to work for some reason. Maybe it tries D3D10 or higher and just fails when it's not detected, no automatic fallback? Anyway, OpenGL gave me display glitches, so I went with D3D9. With that, videos also play fine in YouTubes' fullscreen mode, which is otherwise unusable. GPU is a GTX Titan Black in my case, with the last XP x64 driver, 368.81. Not sure how stable it really is though, I've only played with this for a while, then switched it off again, as I don't really need it. Just wanted to see how I can get fullscreen video to render smoothly, because somebody asked me to find a way to do this with New Moon.
  14. My build of New Moon (temp. name) a.k.a. Pale Moon for XP

    Hello! I just registered here to thank you for your port to XP and XP x64, roytam1! I've replaced my FF ESR with it, and it's really quite a bit faster. I've even compiled Pale Moon on my CentOS 6.9 Linux workstation now, as it's otherwise locked to the same FF ESR version as XP for now, by its package management. Just for the added speed. Anyway, I've been running the 64-bit version of New Moon on my XP x64 for the past week or so, and it just works! For the heck of it, I tried to push the limits a slight bit up to ~5.5GB of memory usage by spawning a ton of tabs. No problems with that either, it just keeps working in a stable manner. Thanks a lot!
×